Bug 2141445

Summary: Set rhcd_t SELinux module to permissive mode when installing
Product: Red Hat Enterprise Linux 9 Reporter: Link Dupont <link>
Component: rhcAssignee: Link Dupont <link>
Status: CLOSED ERRATA QA Contact: Pavol Kotvan <pakotvan>
Severity: high Docs Contact:
Priority: urgent    
Version: 9.2CC: cmarinea, fjansen, pakotvan
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhc-0.2.1-10.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2141446 2142135 2142136 (view as bug list) Environment:
Last Closed: 2023-05-09 07:37:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2142135, 2142136    

Description Link Dupont 2022-11-09 22:11:03 UTC 
The rhc RPM needs to run 'semanage permissive --add rhcd_t' in its %post scriptlet.

The recommended snippet is to add the following line as the first line in the %post scriptlet:

%{_sbindir}/semanage permissive -a rhcd_t || true

This will require a new package, so add 'Requires(post): policycoreutils-python-utils' to the list of package requirements.

The permissive mode needs to be deleted when the package is uninstalled, so add the following to the end of %postun:

if [ $1 -eq 0 ]; then
     %{_sbindir}/semanage permissive -d rhcd_t || true
fi
Comment 3 Link Dupont 2022-11-10 17:08:06 UTC 
[link@centos-stream-9 rhc]$ sudo semanage permissive --list
[link@centos-stream-9 rhc]$ sudo dnf install -y ./results_rhc/0.2.1/10.el9/rhc-0.2.1-10.el9.x86_64.rpm
...
[link@centos-stream-9 rhc]$ rpm -q rhc
rhc-0.2.1-10.el9.x86_64
[link@centos-stream-9 rhc]$ sudo semanage permissive --list

Builtin Permissive Types 


Customized Permissive Types

rhcd_t
[link@centos-stream-9 rhc]$ sudo dnf remove -y rhc
...
[link@centos-stream-9 rhc]$ sudo semanage permissive --list
[link@centos-stream-9 rhc]$
Comment 12 errata-xmlrpc 2023-05-09 07:37:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhc bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2237